binutils: CVE-2017-8397

Source: git://sourceware.org/git/binutils-gdb.git MR: 74114 Type: Security Fix Disposition: Backport from binutils-2_29 ChangeID: d55e7590c08c4db483bba2fa35df8fbb6283686e Description: Fix a seg-fault when processing a corrupt binary containing reloc(s) with negative addresses. PR binutils/21434 * reloc.c (bfd_perform_relocation): Check for a negative address in the reloc. Affects: <= 2.29 Author: Nick Clifton <nickc@redhat.com> (From OE-Core rev: 6dd9179c4208c8d13f7e9c784d9993606416ab97) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-09-04 18:35:19 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:08 +0000
commit: f98a25139e0cbe27b2ec99e8aea1e392d3a22255 (patch)
tree: 99d89acd1dd81c23d0c251c171b044f3d3d7fd1b
parent: 70f2d42e842bbf9d87a4a3674e648777b5afd632 (diff)
download: poky-f98a25139e0cbe27b2ec99e8aea1e392d3a22255.tar.gz
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index ecb0cdf094..a5122c5d5c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -69,6 +69,7 @@ SRC_URI = "\
     file://CVE-2017-7304.patch \
     file://CVE-2017-8393.patch \
     file://CVE-2017-8395.patch \
+     file://CVE-2017-8397.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8397.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8397.patch
new file mode 100644
index 0000000000..f966c80c4e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8397.patch
@@ -0,0 +1,50 @@
+commit 04b31182bf3f8a1a76e995bdfaaaab4c009b9cb2
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Wed Apr 26 16:30:22 2017 +0100
+    Fix a seg-fault when processing a corrupt binary containing reloc(s) with negative addresses.
+    
+        PR binutils/21434
+        * reloc.c (bfd_perform_relocation): Check for a negative address
+        in the reloc.
+Upstream-Status: Backport
+CVE: CVE-2017-8397
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/reloc.c
+===================================================================
+--- git.orig/bfd/reloc.c        2017-09-04 18:06:00.651987605 +0530
+++ git/bfd/reloc.c     2017-09-04 18:06:10.740066291 +0530
+@@ -623,7 +623,10 @@
+      PR 17512: file: c146ab8b, 46dff27f, 38e53ebf.  */
+   octets = reloc_entry->address * bfd_octets_per_byte (abfd);
+   if (octets + bfd_get_reloc_size (howto)
+-      > bfd_get_section_limit_octets (abfd, input_section))
+      > bfd_get_section_limit_octets (abfd, input_section)
+      /* Check for an overly large offset which
+        masquerades as a negative value too.  */
+      || (octets + bfd_get_reloc_size (howto) < bfd_get_reloc_size (howto)))
+     return bfd_reloc_outofrange;
+ 
+   /* Work out which section the relocation is targeted at and the
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-04 18:06:10.684065855 +0530
+++ git/bfd/ChangeLog   2017-09-04 18:08:33.845183050 +0530
+@@ -75,6 +75,12 @@
+ 
+ 2017-04-26  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21434
+       * reloc.c (bfd_perform_relocation): Check for a negative address
+       in the reloc.
+
+2017-04-26  Nick Clifton  <nickc@redhat.com>
+
+        PR binutils/21431
+        * compress.c (bfd_init_section_compress_status): Check the return
+        value from bfd_malloc.
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-09-04 18:35:19 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:08 +0000
commit	f98a25139e0cbe27b2ec99e8aea1e392d3a22255 (patch)
tree	99d89acd1dd81c23d0c251c171b044f3d3d7fd1b
parent	70f2d42e842bbf9d87a4a3674e648777b5afd632 (diff)
download	poky-f98a25139e0cbe27b2ec99e8aea1e392d3a22255.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index ecb0cdf094..a5122c5d5c 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -69,6 +69,7 @@ SRC_URI = "\
69	file://CVE-2017-7304.patch \	69	file://CVE-2017-7304.patch \
70	file://CVE-2017-8393.patch \	70	file://CVE-2017-8393.patch \
71	file://CVE-2017-8395.patch \	71	file://CVE-2017-8395.patch \
		72	file://CVE-2017-8397.patch \
72	"	73	"
73	S = "${WORKDIR}/git"	74	S = "${WORKDIR}/git"
74		75


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8397.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8397.patch new file mode 100644 index 0000000000..f966c80c4e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8397.patch
@@ -0,0 +1,50 @@
		1	commit 04b31182bf3f8a1a76e995bdfaaaab4c009b9cb2
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Wed Apr 26 16:30:22 2017 +0100
		4
		5	Fix a seg-fault when processing a corrupt binary containing reloc(s) with negative addresses.
		6
		7	PR binutils/21434
		8	* reloc.c (bfd_perform_relocation): Check for a negative address
		9	in the reloc.
		10
		11	Upstream-Status: Backport
		12
		13	CVE: CVE-2017-8397
		14	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		15
		16
		17
		18	Index: git/bfd/reloc.c
		19	===================================================================
		20	--- git.orig/bfd/reloc.c 2017-09-04 18:06:00.651987605 +0530
		21	+++ git/bfd/reloc.c 2017-09-04 18:06:10.740066291 +0530
		22	@@ -623,7 +623,10 @@
		23	PR 17512: file: c146ab8b, 46dff27f, 38e53ebf. */
		24	octets = reloc_entry->address * bfd_octets_per_byte (abfd);
		25	if (octets + bfd_get_reloc_size (howto)
		26	- > bfd_get_section_limit_octets (abfd, input_section))
		27	+ > bfd_get_section_limit_octets (abfd, input_section)
		28	+ /* Check for an overly large offset which
		29	+ masquerades as a negative value too. */
		30	+ \|\| (octets + bfd_get_reloc_size (howto) < bfd_get_reloc_size (howto)))
		31	return bfd_reloc_outofrange;
		32
		33	/* Work out which section the relocation is targeted at and the
		34	Index: git/bfd/ChangeLog
		35	===================================================================
		36	--- git.orig/bfd/ChangeLog 2017-09-04 18:06:10.684065855 +0530
		37	+++ git/bfd/ChangeLog 2017-09-04 18:08:33.845183050 +0530
		38	@@ -75,6 +75,12 @@
		39
		40	2017-04-26 Nick Clifton <nickc@redhat.com>
		41
		42	+ PR binutils/21434
		43	+ * reloc.c (bfd_perform_relocation): Check for a negative address
		44	+ in the reloc.
		45	+
		46	+2017-04-26 Nick Clifton <nickc@redhat.com>
		47	+
		48	PR binutils/21431
		49	* compress.c (bfd_init_section_compress_status): Check the return
		50	value from bfd_malloc.